Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
prevhost.exe

Overview

General Information

Sample name:prevhost.exe
Analysis ID:1592539
MD5:ef917f8e0dab8500f8bf201c3dcc9ea7
SHA1:a6949bd943e11c032f3e0f420badb75519eb169a
SHA256:531942d43420fe260b4dd4279920fc31c6c6bd0a9c64b61be3fad36cb7507482

Detection

Score:1
Range:0 - 100
Whitelisted:false
Confidence:80%

Signatures

Binary contains a suspicious time stamp
Program does not show much activity (idle)
Uses 32bit PE files

Classification

Process Tree

  • System is w10x64
  • prevhost.exe (PID: 4052 cmdline: "C:\Users\user\Desktop\prevhost.exe" MD5: EF917F8E0DAB8500F8BF201C3DCC9EA7)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: prevhost.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: prevhost.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: Binary string: prevhost.pdb source: prevhost.exe
Source: Binary string: prevhost.pdbGCTL source: prevhost.exe
Source: prevhost.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: classification engineClassification label: clean1.winEXE@1/0@0/0
Source: prevhost.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\prevhost.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Users\user\Desktop\prevhost.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\prevhost.exeSection loaded: uxtheme.dllJump to behavior
Source: prevhost.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: prevhost.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: prevhost.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: prevhost.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: prevhost.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: prevhost.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: prevhost.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: prevhost.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: prevhost.pdb source: prevhost.exe
Source: Binary string: prevhost.pdbGCTL source: prevhost.exe
Source: prevhost.exeStatic PE information: 0xC0C8E170 [Wed Jun 29 01:46:24 2072 UTC]
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
DLL Side-Loading		1
DLL Side-Loading		1
Timestomp		OS Credential Dumping1
System Information Discovery		Remote ServicesData from Local SystemData ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
DLL Side-Loading		LSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
prevhost.exe0%VirustotalBrowse
prevhost.exe0%ReversingLabs

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

World Map of Contacted IPs

No contacted IP infos

General Information

Joe Sandbox version:42.0.0 Malachite
Analysis ID:1592539
Start date and time:2025-01-16 09:12:43 +01:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 1m 40s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:default.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:2
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample name:prevhost.exe
Detection:CLEAN
Classification:clean1.winEXE@1/0@0/0
Cookbook Comments:
  • Found application associated with file extension: .exe
  • Stop behavior analysis, all processes terminated

Warnings

  • Exclude process from analysis (whitelisted): dllhost.exe
  • Excluded IPs from analysis (whitelisted): 13.107.246.45
  • Excluded domains from analysis (whitelisted): client.wns.windows.com, otelrules.azureedge.net

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASNs

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General

File type:PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):6.055013874894348
TrID:
  • Win32 Executable (generic) a (10002005/4) 99.96%
  • Generic Win/DOS Executable (2004/3) 0.02%
  • DOS Executable Generic (2002/1) 0.02%
  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:prevhost.exe
File size:27'648 bytes
MD5:ef917f8e0dab8500f8bf201c3dcc9ea7
SHA1:a6949bd943e11c032f3e0f420badb75519eb169a
SHA256:531942d43420fe260b4dd4279920fc31c6c6bd0a9c64b61be3fad36cb7507482
SHA512:9979e6b7082b5d3880cbc1518e09041c94ebc8c77c5fdfe745b3847ba8279143bbb6a95285693a65ae004254038bb4fb6de2469910448b7d9e196f63fb6a5223
SSDEEP:384:t5n6YGYpeQpKp0ckCkh9RR8bikNUAwzhAcEHozBqWgelxm2fMwSZrAyf9WQcWgq:Dn6YpQQpKp0eTyycEHAqLr2fM7Ayfh/
TLSH:5BC2199265DC5171DAF227B0056DF229D13FB5A04B9184C3662C4BFEBB397C0AE7029B
File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......._.................y.....P.......P.......P.......P...........L...P.......P.......P.......Rich....................PE..L...p......

File Icon

Icon Hash:00928e8e8686b000

Static PE Info

General

Entrypoint:0x404e30
Entrypoint Section:.text
Digitally signed:false
Imagebase:0x400000
Subsystem:windows gui
Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Time Stamp:0xC0C8E170 [Wed Jun 29 01:46:24 2072 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:10
OS Version Minor:0
File Version Major:10
File Version Minor:0
Subsystem Version Major:10
Subsystem Version Minor:0
Import Hash:64ad0500b99b03083d39c3f6afaf2c66

Entrypoint Preview

Instruction
call 00007FDF1455DD79h
jmp 00007FDF1455D58Ch
int3
int3
int3
int3
int3
int3
int3
push 00000058h
push 00405860h
call 00007FDF1455DE24h
xor ebx, ebx
mov dword ptr [ebp-20h], ebx
lea eax, dword ptr [ebp-68h]
push eax
call dword ptr [004070F8h]
mov dword ptr [ebp-04h], ebx
mov eax, dword ptr fs:[00000018h]
mov esi, dword ptr [eax+04h]
mov edi, ebx
mov edx, 00406490h
mov ecx, esi
xor eax, eax
lock cmpxchg dword ptr [edx], ecx
test eax, eax
je 00007FDF1455D59Ah
cmp eax, esi
jne 00007FDF1455D589h
xor esi, esi
inc esi
mov edi, esi
jmp 00007FDF1455D592h
push 000003E8h
call dword ptr [0040710Ch]
jmp 00007FDF1455D559h
xor esi, esi
inc esi
cmp dword ptr [00406494h], esi
jne 00007FDF1455D58Ch
push 0000001Fh
call 00007FDF1455DB86h
pop ecx
jmp 00007FDF1455D5BCh
cmp dword ptr [00406494h], ebx
jne 00007FDF1455D5AEh
mov dword ptr [00406494h], esi
push 00401188h
push 0040117Ch
call 00007FDF1455D6E6h
pop ecx
pop ecx
test eax, eax
je 00007FDF1455D599h
mov dword ptr [ebp-04h], FFFFFFFEh
mov eax, 000000FFh
jmp 00007FDF1455D6B9h
mov dword ptr [00406064h], esi
cmp dword ptr [00406494h], esi
jne 00007FDF1455D59Dh
push 00401178h
push 00401160h
call 00007FDF1455DD6Ch

Rich Headers

Programming Language:
  • [IMP] VS2008 SP1 build 30729

Data Directories

NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IMPORT0x71980x118.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE0x80000x8e8.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
IMAGE_DIRECTORY_ENTRY_BASERELOC0x90000x4b0.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG0x15480x54.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x00x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x10a00xc0.text
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0x70000x190.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

Sections

NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
.text0x10000x49340x4a003bc516aebc136005f4913c3fb7e49f1eFalse0.5591744087837838data6.195324562861127IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data0x60000x5000x200050be2aede47ce3d2bdc6d3e1b52e0d2False0.068359375data0.28578180731160896IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata0x70000xb1e0xc00a982691b91c8fd9c14fca5f82ab3b371False0.4329427083333333x86 executable4.770627592688134IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc0x80000x8e80xa00bb81545586817a7ca0bdd70f2b88e3c1False0.3953125data4.406409887054605IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc0x90000x4b00x6005852eb4ce70f53349a7fee3474e5c4c2False0.7096354166666666data5.727686765440488IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

NameRVASizeTypeLanguageCountryZLIB Complexity
RT_VERSION0x85380x3acdataEnglishUnited States0.46808510638297873
RT_MANIFEST0x80a00x493XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.43552519214346713

Imports

DLLImport
KERNEL32.dllGetModuleHandleExW, WaitForSingleObject, GetCurrentThreadId, ReleaseMutex, CreateEventW, FormatMessageW, GetLastError, OutputDebugStringW, SetEvent, WaitForSingleObjectEx, ReleaseSemaphore, CloseHandle, HeapSetInformation, HeapAlloc, GetProcAddress, CreateMutexExW, GetCurrentProcessId, GetProcessHeap, GetModuleHandleW, DebugBreak, IsDebuggerPresent, SetLastError, HeapFree, CreateSemaphoreExW, OpenSemaphoreW, GetModuleFileNameA
USER32.dllPeekMessageW, DispatchMessageW, MsgWaitForMultipleObjects, TranslateMessage
msvcrt.dll__setusermatherr, _initterm, free, __CxxFrameHandler3, _exit, _except_handler4_common, _unlock, _cexit, __p__fmode, exit, __dllonexit, _lock, _onexit, ?terminate@@YAXXZ, _controlfp, _ismbblead, _callnewh, malloc, memcpy_s, _vsnwprintf, __set_app_type, __getmainargs, _amsg_exit, __p__commode, _XcptFilter, _acmdln, memset
api-ms-win-core-com-l1-1-0.dllCoInitializeEx, CLSIDFromString, CoRegisterSurrogate, CoRevokeClassObject, CoGetInterfaceAndReleaseStream, CoFreeUnusedLibraries, CoUninitialize, CoInitializeSecurity, CoMarshalInterThreadInterfaceInStream, CoReleaseMarshalData, CoRegisterClassObject, CoCreateInstance
api-ms-win-core-com-l1-1-1.dllRoGetAgileReference
api-ms-win-core-synch-l1-2-0.dllSleep
api-ms-win-core-processthreads-l1-1-0.dllTerminateProcess, GetStartupInfoW, GetCurrentProcess
api-ms-win-core-errorhandling-l1-1-0.dllSetUnhandledExceptionFilter, UnhandledExceptionFilter
api-ms-win-core-profile-l1-1-0.dllQueryPerformanceCounter
api-ms-win-core-sysinfo-l1-1-0.dllGetSystemTimeAsFileTime, GetTickCount
COMCTL32.dll
SHELL32.dll
SHLWAPI.dll

Possible Origin

Language of compilation systemCountry where language is spokenMap
EnglishUnited States

Network Behavior

No network behavior found

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

System Behavior

General

Target ID:0
Start time:03:13:35
Start date:16/01/2025
Path:C:\Users\user\Desktop\prevhost.exe
Wow64 process (32bit):true
Commandline:"C:\Users\user\Desktop\prevhost.exe"
Imagebase:0xad0000
File size:27'648 bytes
MD5 hash:EF917F8E0DAB8500F8BF201C3DCC9EA7
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low
Has exited:true

Disassembly

No disassembly